Multi-framework compliance.

16+ frameworks: NIST CSF 2.0, ISO 27001, SOC 2, NIS2, DORA, EBIOS RM, CIS, PCI DSS, GDPR, Loi 25, HDS, ITSG-33, IEC 62443. 1,342 SCF controls with 1,341+ cross-framework mappings. Hosted in Canada.

Request a Demo

Explore the Platform

You validate the same control 4 times. For 4 different frameworks.

Your team collects evidence for ISO 27001. Three months later, the same evidence for SOC 2. Six months later, for NIS2. The next year, for DORA. Four times the same control. Four times the same evidence. Four times the same wasted effort. FortaRisks changes that mechanic. 1,341+ cross-framework mappings mean an ISO 27001 control automatically validates its equivalent in 3 other frameworks. You assess once. You prove everywhere.

Three capabilities. One continuous, multi-framework posture.

16+ framework catalog

16+ frameworks: NIST CSF 2.0, ISO 27001, ISO 27002, ISO 27005, ISO 42001 (AI), SOC 2, NIS2, DORA, EBIOS Risk Manager, CIS Controls v8, PCI DSS 4.0, OWASP ASVS 5, OWASP Top 10, GDPR, Loi 25, HDS, ITSG-33 (CCCS), IEC 62443, NERC CIP, OSFI B-13, SWIFT CSCF.
Automatic updates on each official revision (NIST CSF 2.0 → 3.0, NIS2 national transposition, DORA technical standards).
Configurable hierarchical scopes: organization → BU → site → application.
Compensating controls explicitly supported (with documented justification).

1,341+ cross-framework mappings

1,342 SCF controls mapped across 33 domains.
5 assessment levels: framework → function → category → subcategory → individual control.
Evidence attached to controls, not to frameworks. One evidence = N validations across N frameworks.
Automatic gap detection between frameworks (a control required by NIS2 but absent from your current SOC 2).

Configurable methodology

6 CMM maturity levels (0 = Not Performed to 5 = Continuously Improved), bilingual FR/EN grid.
4 interchangeable scoring strategies: balanced, risk-weighted, business-impact, framework-inherited.
3 assessment approaches: Baseline (fast, ~3-5 days to start), Evidence-based (balanced, ~2 weeks), Comprehensive (detailed, ~4-6 weeks).
Improvement roadmap generated automatically.

16+ frameworks. Maintained up to date. Mapped between each other.

Each framework is implemented at its official level of granularity (function → category → subcategory → control).

Three moments. Three uses.

Case 1

SaaS publisher (simultaneous multi-framework)

150-employee Quebec B2B SaaS publisher. US clients (SOC 2 Type II required), EU partners (NIS2 entering force), Loi 25 obligation (Quebec clients). Before FortaRisks: 3 separate GRC tools, 3 evidence teams, massive overlaps, 9 months of SOC 2 prep. With FortaRisks: 1 platform, 1 evidence collection, 1,341+ cross-mappings. SOC 2 Type II, NIS2 Article 21, Loi 25 audit-ready in 14 weeks. GRC effort reduction estimated at 60%.

Case 2

French subsidiary of a Canadian group (EBIOS RM ANSSI)

Canadian manufacturing group, French subsidiary in Lyon, 200 employees. The subsidiary must produce an EBIOS RM risk analysis for its client referencing audit (French industrial group). Before FortaRisks: open-source EBIOS RM Studio, on-site workshop over 5 days, deliverables to reformat for audit. With FortaRisks: the 5 EBIOS RM workshops in the platform, reuse of the asset graph and CTI signals already ingested, deliverables exported in ANSSI format. Workshop preparation reduced to 2 days.

Case 3

Quebec cooperative bank (DORA via EU subsidiary)

800-employee cooperative bank. French subsidiary entering DORA scope (Digital Operational Resilience Act, applicable January 2025). Subsidiary must prove DORA alignment and management of critical ICT service providers. With FortaRisks: DORA framework mapped to 1,342 SCF controls, 87% automatic alignment via already-validated ISO 27001 controls. DORA-specific gaps identified (critical ICT incident management, resilience testing). Quantified remediation roadmap. Audit-ready in 16 weeks.

Posture is not a silo. All pillars use control maturity.

Control maturity is a reference data point. Without it, other pillars decide in a vacuum. With it, they know what's defended and what's not.

Posture → CTI

Actor TTPs are contextualized by your control coverage. If BlackBasta typically exploits MFA absence and your IAM is at CMM 4, the BlackBasta alert on your stack is prioritized low. If your IAM is at CMM 1, it's prioritized high.

Posture → EASM

EASM findings (port 22 exposed, TLS 1.0 active, etc.) are contextualized by expected controls for that asset. A missing MFA control on an SSH-exposed service becomes a critical security finding, not just a technical finding.

Posture → TPRM

Frameworks declared by your third parties (SOC 2, ISO 27001) are confronted with externally observed signs. Automatic drift detection vs declaration.

Posture → AI Risk Engine

Control maturity is the "defense" component of the risk score. Without Posture, the AI doesn't know if the vulnerable asset is defended. It would prioritize a critical CVE on an already well-protected asset at the bottom of the list.

See your multi-framework posture in 30 minutes.

Request a demo

FAQs

1/ How do the 1,341+ cross-framework mappings work?

The mapping engine is calibrated on SCF (Secure Controls Framework), a publicly maintained meta-framework that maps 1,342 controls across major global standards. When you validate a control in ISO 27001 (e.g., A.5.15 — Access control), the engine identifies its equivalents in NIS2 (Article 21.2.f), DORA (Article 9), SOC 2 (CC6.1), and marks these equivalents as "validated via mapping." Each mapping is documented and auditable. You can choose to disable automatic mapping validations if your auditor requires it.

2/ How do you keep frameworks up to date as they evolve?

Continuous regulatory monitoring by our product team. Automatic update of framework content in the platform on each official revision. User notification of changes impacting their posture (e.g., NIST CSF 1.1 → 2.0 published February 2024, NIS2 national transposition by Member State, DORA Regulatory Technical Standards published). Versioned history of assessments before/after framework change.

3/ What's the difference between the 3 assessment approaches (Baseline / Evidence-based / Comprehensive)?

**Baseline**: rapid self-assessment on the framework's essential controls. Start in 3-5 days. Ideal for a first measurement or secondary framework.

**Evidence-based**: control assessment with evidence collection (documents, captures, attestations). 2 weeks typical. Solid posture, defensible before an auditor.

**Comprehensive**: detailed assessment at all levels (framework → function → category → subcategory → individual control) with multiple evidence per control. 4-6 weeks. Audit-ready posture at ISO 27001 / SOC 2 Type II level.

4/ Can I create my own internal framework or customize an official one?

Yes. "Custom framework" mode available: create your own controls, organized in domains/categories, with your own scoring methodology. You can also extend an official framework (e.g., NIST CSF 2.0 + 12 internal controls specific to your sector). Custom frameworks remain isolated to your tenant and are not exposed to other clients.